Hi, This issue was raised by this email thread on openvpn-users:
<https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg03119.html> Basically our new Authenticode (user-mode) certificate can only do SHA2 signatures, which Windows XP and Vista do not support. In practice both operating systems will complain about an "unknown publisher". Moreover, our EV dongle that is used to sign tap-windows6 can only do SHA2 signatures. So, any tap-windows6 driver signed with the dongle will get rejected by Windows Vista. The approach we took for the previous tap-windows6 release was to have two signatures (SHA1+SHA2), but now that option is gone. I'm told that rekeying the Authenticode (user-mode) certificate as SHA1 is no longer possible, which is in line with Microsoft's recommendations for CAs: "Enforcement details" "Code signing certificates" "CAs should issue new code signing certs with SHA-1 after 1/1/2016 only for developers targeting Vista/2008, otherwise, move all new certs to SHA2" The above quotes are from <http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx> We have already dropped XP support from OpenVPN Git "master". I think now is the time to drop official XP support altogether, but to maintain Vista support util the next tap-windows6 release. Thoughts? -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock ------------------------------------------------------------------------------ _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
